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happen,  eventually  —  is  a  classical  liveness  property,  bounded  response  —  that 
“something  good”  will  happen  soon,  within  a  certain  amount  of  time  —  has 
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1  Safety,  Liveness,  and  Operationality 

The  behavior  of  a  discrete  reactive  system  can  be  described  as  an  infinite  string 

O'  :  Oq  Oi  02  (y’j  ^4  ••• 

over  an  alphabet  E,  which  represents  the  states  of  the  system.  A  property  11 
is  a  subset  of  E**" ,  the  set  of  all  infinite  strings  over  E;  a  reactive  system  has 
property  11  iff  all  of  its  possible  behaviors  are  contained  in  11. 

It  is  useful  to  classify  properties  of  reactive  systems  into  two  categories, 
because  they  require  fundamentally  different  means  for  their  specification  and 
verification  [Lam 77]: 

•  A  safety  property  stipulates  that  “nothing  bad”  will  happen,  ever,  during 
the  execution  of  a  system.  If  “something  bad”  were  to  happen  during  the 

‘This  research  was  supported  in  part  by  an  IBM  graduate  fellowship,  by  the  National  Sci¬ 
ence  Foundation  grants  CCR-89-11512  and  CCR-89-13641,  by  the  Defense  Advanced  Research 
Projects  Agency  under  contract  N00039-84-C-0211,  and  by  the  United  States  Air  Force  Office 
of  Scientific  Research  under  contract  AFOSR-90-0057. 
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execution,  it  would  have  to  happen  within  a  hnite  number  of  states.  Thus 
we  can  formalize  safety  as  follows: 

H  C  is  a  safety  property  iff  for  aD  cr  €  E",  whenever  every 
finite  prefix  of  a  can  be  extended  to  a  string  in  11,  then  cr  G  II 
[ADS86]. 

•  A  liveness  property  stipulates  that  “something  good”  will  happen,  eventu¬ 
ally,  during  the  execution  of  a  system.  If  “nothing  good”  were  to  happen 
during  the  execution,  an  irremediable  situation  would  have  to  be  reached 
within  a  finite  number  of  states.  Thus  we  can  formalize  liveness  as  follows: 

n  C  is  a  liveness  property  iff  every  finite  prefix  of  a  string 
in  can  be  extended  to  a  string  in  11  [AS85]. 

There  is  a  natural  topology  on  E**"  in  which  the  safety  properties  are  exactly 
the  closed  sets,  and  the  liveness  properties  are  exactly  the  dense  sets.  It  follows 
immediately  that  only  E"  itself  is  both  a  safety  and  a  liveness  property. 

We  say  that  a  safety  property  IIs  and  a  liveness  property  Rl  specify  the 
property  H  =  IIs  n  Ex  congruously  iff  every  finite  prefix  of  a  string  in  IIs  can 
be  extended  to  a  string  in  11.  In  other  words,  the  safety  part  of  a  congruous 
specification  is  complete:  the  liveness  part  does  not  preclude  any  safe  prefixes.  A 
congruous  pair  (IIs,  Hl)  is  called  machine  closed  in  [AL88],  feasible  in  [AFK88], 
and  Ex  is  called  live  with  respect  to  Es  in  [DW90]. 

In  [AS85]  it  is  shown  that  every  property  is  the  intersection  of  a  safety 
property  and  a  liveness  property.  It  is  well-known  that  the  construction  given 
there  actually  proves  the  following  stronger  result. 

Theorem  1  (Existence  of  congruous  specifications)  Every  property  has  a 
congruous  specification. 

Proof  sketch  of  Theorem  1  Since  safety  properties  are  closed  under  inter¬ 
section,  we  can  define  the  closure  E  of  E  C  E^^as  the  smallest  safety  property 
containing  E.  Given  a  property  E,  let  E5  be  E.  For  Ex  take  the  complement 
of  Es  -n.  Then  (Es,Ex)  specifies  E  congruously.  ■ 

Congruous  specifications  are  operational:  a  machine  that  incrementally  gen¬ 
erates  safe  execution  sequences  will  never  reach  an  iiremedial  situation  from 
which  the  liveness  conditions  catnnot  be  satisfied.  On  the  other  hand,  a  machine 
trying  to  execute  an  incongruous  specification  without  look-ahead  may  “paint 
itself  into  a  corner”  from  which  no  legal  continuation  is  possible  [AFK88].  Ex¬ 
amples  of  congruous  specifications  are  fair  transition  systems  [Pnu86];  examples 
of  formalisms  that  admit  incongruous  specifications  are  temporal  logic  [Pnu77] 
and  finite  automata  [Tho90]. 
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2  Relative  Safety  and  Liveness 

Instead  of  looking  at  all  strings  in  S",  it  is  often  useful  to  have  a  concept  of 
safety  and  liveness  under  the  assumption  that,  a  priori,  only  a  certain  subset 
C  E"  of  strings  are  possible  behaviors  of  a  system.  We  call  this  notion  safety 
and  liveness  relative  to  the  property  'f; 

•  n  C  ^  is  a  safety  property  relative  to  $  C  E"  iff  for  all  cr  6  '5',  whenever 
every  finite  prefix  of  a  can  be  extended  to  a  string  in  11,  then  (t  €  H. 

•  n  C  is  a  liveness  property  relative  to  C  E"  iff  every  finite  prefix  of  a 
string  in  ^  can  be  extended  to  a  string  in  11. 

Thus  unconditional  safety  and  liveness  are  safety  and  liveness  relative  to  E". 

The  natural  topology  on  E"  induces  a  topological  subspace  on  C  E", 
which  is  called  the  relativization  of  the  E"  topology  to  [Kel55].  We  show 
that  the  properties  that  are  safe  relative  to  ^  are  exactly  the  closed  sets  of  the 
relative  topology,  and  the  properties  that  are  live  relative  to  are  exactly  the 
dense  sets  of  the  relative  topology. 

Proposition  1  (Relative  safety)  11  C  ts  a  safety  property  relative  to 

'5'CE"t#nn'fcn. 

Proposition  2  (Relative  liveness)  11  C  is  o  liveness  property  relative  to 
C  E"  if  C  I. 

Proof  of  Propositions  1  and  2  First  obsejrye  that  a  string  cr  G  E“  is  in  the 
closure  of  a  property  11  C  E"  (that  is,  <r  €  H)  iff  every  finite  prefix  of  a  can 
be  extended  to  a  string  in  H.  Then  apply  this  observation  to  the  definitions  of 
relative  safety  and  relative  liveness.  ■ 

It  follows  that  n  is  safe  relative  to  iff  II  =  IIs  n  $  for  some  unconditional 
safety  property  115.  In  particular,  if  the  property  n  =  115  n  Hr,  is  specified  by 
a  safety  property  115  and  a  liveness  property  Hl,  then  II  is  safe  relative  to  fix,- 
Furthermore,  if  the  specification  (115,  Hi)  is  congruous,  then  11  is  live  relative 
to  115. 

It  is  convenient  to  extend  the  notions  of  safety  and  liveness  relative  to  a 
property  ^  to  properties  that  are  not  necessarily  subsets  of  '4':  we  say  that 
n  C  E"  is  a  safety  (liveness)  property  relative  to  C  E"  iff  11  n  'J'  is  safe  (live) 
relative  to  ’4'.  Clearly,  unconditional  safety  properties  are,  in  this  sense,  safe 
relative  to  any  property  $ .  More  generally: 

Proposition  3  (Downward  preservation  of  safety)  Suppose  that 'S?!  C  4f2- 
//  n  is  a  safety  property  relative  to  2,  then  it  is  also  a  safety  property  relative 
to  4'i. 


3 


Proof  of  Proposition  3  Let  C  £ 2-  Rrst  observe  that  the  closure  operator 
is  monotonic;  that  is,  n  C  impUcs  H  C  for  all  H,  $  €  S".  In  particular,  we 
have  n  n  W 1  c  II  n  'i'2. 

By  Proposition  1,  we  may  assume  that 

(n  n  ■92)  n  $2  C  Iin'5'2 

and  need  to  show  that,  then, 

(n  n  $1)  n  '*'1  c  nn’^i. 


The  derivation  is  simple.  ■ 

The  converse  of  Proposition  3  holds  only  in  a  very  restricted  case: 

Proposition  4  (Upward  preservation  of  safety)  Suppose  that  n  C  'i'l  C 
$2-  //  n  «  a  safety  propeHy  relative  to  and  'S'l  is  a  safety  property  relative 
to  ’^2j  then  n  ts  fl  safety  property  relative  to  ^2- 

Proof  of  Proposition  4  Again,  use  Proposition  1  and  the  monotonicity  of 
the  closure  operator.  ■ 

In  general,  properties  become  “safer”  if  they  are  viewed  relative  to  stronger 
(i.e.,  more  restrictive)  properties:  a  property  that  is  not  an  unconditional  safety 
property  may  be  safe  relative  to  another  property.  In  the  next  section,  we  v^l 
give  interesting  examples  of  such  properties  that  are  shifted  “towards  safety. 

We  say  that  a  pair  (Hs,  Hi)  specifies  the  property  H  C congruously  rela¬ 
tive  to  C  E"  iff  n  =  115  n  Hi  and  Hs  is  safe  relative  to  ^  and  IIl  is  live 
relative  to  and  every  finite  prefix  of  a  string  in  Hs  H  ^  can  be  extended  to  a 
string  in  n.  Thus  a  specification  is  unconditionally  congruous  iff  it  is  congruous 
relative  to  E".  The  foUowing  theorem  generalizes  the  main  result  about  the 
unconditional  safety-liveness  classification  (Theorem  1). 

Theorem  2  (Existence  of  relatively  congruous  specifications)  For  all 
C  E“,  every  property  II  C  has  a  specification  that  is  congruous  relative  to 

Proof  of  Theorem  2  Let  Os  =  H  and  ni_=  -<((115  n  -  H);  then  Hs  is 
unconditionally  safe.  Alternatively,  let  Hs  =  11  n  «  and  Hl  =  ->(115  -  n);  then 
Hs  C  We  show  that  (IIs,  Hl)  specifies  H  congruously  relative  to  $  in  either 

case.  _ 

It  is  not  hard  to  see  that  11  =  115  ^  ^  that  Hs  n  $  C  II  —  that 

is,  every  finite  prefix  of  a  string  in  Hs  n  $  can  be  exte^ed  to  a  string  in  H. 
Proposition  3  implies  that  Hs  =  11,  and  thus  also  115  =  II  fl  ’i',  is  safe  relative 
to 't.  . 

It  remains  to  be  shown  that  El  is  live  relative  to or,  by  Proposition  2, 
that  _ _ 

9  c  -.((nn'^)-n)n$. 
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Since  11  C  this  condition  is  equivalent  to 


^  c  nu(^~n). 

We  can  derive  both  ^  _ _ 

nn^  c  nu(^~n) 

and  _ _ 

using  the  monotonicity  of  the  closure  operator.  ■ 

Note  that  our  definition  of  relative  congruity  ensures  again  operationality: 
a  machine  that  incrementaUy  generates  prefixes  in  Hs  fl  ^  will  never  reach  an 
irremedial  situation  from  which  the  liveness  conditions  of  Hi  H'i  cannot  be 
satisfied. 

3  Real-time  Safety  and  Liveness 

The  behavior  of  a  discrete  real-time  system  can  be  described  by  an  infinite 
sequence  of  pairs 

P  •  («^0,  "fo)  —  (‘^l.  n)  -*  (^2,  T2)  (ff3.  T3)  -►  •  •  • 

of  states  CTt  G  2,  i  >  O5  and  corresponding  times  Ti  £  T.  While  we  do  not 
commit  to  any  particular  time  domain  T,  we  assume  that  there  is  a  real- valued 
metric  d  on  T.  The  sequence  p  =  (cr,  r)  is  called  a  timed  state  sequence. 

A  reaUtime  property  H  is  a  subset  of  '^alh  fhe  set  of  all  timed  state  sequences. 
It  is  straightforward  to  extend  the  definitions  of  unconditional  and  relative  safety 
and  liveness  to  real-time  properties.  All  results  of  the  previous  sections  carry 
over.  In  particular,  any  trivial  one-element  time  domain  yields  a  model  that  is 
isomorphic  to  the  original  uniimed  setup. 

Different  models  of  time  and  computation  put  vastly  different  requirements 
on  the  time  component  r  of  legal  behaviors  p  =  {a,  r)  of  a  real-time  system. 
For  instance: 

•  Interval  models  of  time  associate  with  every  state  its  duration  over  time, 
while  clock  models  stamp  observations  of  the  system  state  with  time  in¬ 
stants.  Intervals  of  the  real  line  are  a  suitable  time  domain  for  the  former 
model,  points  for  the  latter. 

•  Analog- clock  models  of  time  record  the  exact  time  of  every  state,  while 
digital-clock  models  measure  the  time  of  a  state  only  with  finite  precision. 
The  reals  are  a  suitable  time  domain  for  the  former  model,  the  integers 
for  the  latter. 
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•  In  synckvonous  models  of  computation,  all  concurrent  activity  happens  in 
lock-step,  while  asynchronous  [interleaving)  models  sequentialize  simulta¬ 
neous  actions  nondeterministically.  Strictly  monotonic  time  is  appropriate 
for  the  former  model,  while  instantaneous  actions  are  required  by  the  lat¬ 
ter  [HMP90]. 

Given  a  particular  choice  of  model,  we  consider,  by  definition,  only  a  subset 
ijr  c  of  timed  state  sequences  as  possible  behaviors  of  a  real-time  system; 
that  is,  the  specification  of  a  property  II  really  defines  11  n  Thus  we  can 
specify  II  by  describing  any  property  11'  with  11'  O =  II  n  possibly  even 
using  a  safety  property  E'  to  specify  a  liveness  property  E  n  if .  Precisely  this 
phenomenon  has  been  captured  formally  by  the  concept  of  safety  and  liveness 
relative  to  the  timing  assumption  '9. 

There  are  two  particularly  important  model-independent  timing  assump¬ 
tions: 

1.  AU  “reasonable”  models  of  time  require  that  time  must  not  decrease.  A 
timed  state  sequence  [a,  r)  is  called  monotonic  iff  time  increases  (weakly) 
monotonically: 

d(To,  7t)  <  <i(ro,  r<+i)  for  all  i  >  0. 

The  set  C  'Poll  of  all  monotonic  timed  state  sequences  is  a  safety 

property. 

2.  The  behavior  of  a  continuous  system  that  may  change  its  state  infinitely 
often  between  any  two  points  in  time  cannot  be  modeled  adequately  by 
an  oi-sequence  of  states.  Thus,  given  out  choice  of  a  timed  state  sequence 
semantics,  we  may  “reasonably”  demand  that  time  diverges.  A  timed  state 
sequence  (ff,  t)  is  caEed  divergent  iff  time  eventually  progresses  beyond  any 
point: 

for  every  6  in  the  range  of  d,  there  is  some  i  >  0  such  that  d(To,  Tj)  > 

The  set  ’Pdi«  C  'Poll  of  all  divergent  timed  state  sequences  is  a  liveness 
property. 

It  follows  that  most  timing  assumptions  are  subsets  of  ’Pttme  —  'Pmon  G  'P  iiv  • 

Therefore  we  are  especiaEy  interested  in  safety,  liveness,  and  operationality 
relative  to  monotonic  divergence  (i.e.,  relative  to  'P«me)*  The  class  of  properties 
that  are  safe  relative  to  monotonic  divergence  includes  many  important  real-time 
properties  that  are  unconditional  liveness  properties;  that  is,  all  the  liveness  they 
stipulate  is  subsumed  by  the  divergence  of  time. 

Bounded  response  is  the  standard  example  of  a  real-time  property  that  is 
unconditionaUy  live  and  becomes  safe  under  strong  enough  timing  assumptions 
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[HMP90,  Lam91,  LA90,  Sch91].  The  bounded-response  property  11^^^  contains 
a  timed  state  sequence  (a,  r)  iff  for  alH  >  0,  whenever  cr^  =  p,  then  cxj  =  q  and 
Tj)  <  6  for  some  j  >  i;  that  is,  every  p  state  is  followed  by  a  9  state  within 
time  <5.  Clearly,  is  an  unconditional  liveness  property. 

Now  let  us  consider  relative  to  monotonicity,  and  then  relative  to 

monotonic  divergence.  Provided  that  p  and  q  are  different  states,  is  not 

safe  relative  to  because  it  contains  all  monotonic  timed  state  sequences 

of  the  form 

(p,  i)  - ►  (p,  aj)  (9,  •  j 

without  containing  the  monotonic  sequence 

(p,  x)  (p,  x)  (p,  aj)  . 

Provided  that  there  are  times  x  and  y  with  d{x,y)  >  6,  the  property  11^^^  is 
not  live  relative  to  either,  because  the  finite  prefix 

(p,  x)  (p,  y) 

cannot  be  extended  to  a  monotonic  sequence  in  The  bounded-response 

property  is,  however,  a  safety  property  relative  to  monotonic  divergence; 

the  ^bad  thing”  that  is  not  supposed  to  happen  is  that,  after  a  p  state,  6  time 
units  pass  without  a  q  state  occurring. 

Real-time  transition  systems  [HMP91]  and  extended  state  machines  [Ost90] 
are  examples  of  specifications  that  are  congruous  relative  to  monotonic  diver¬ 
gence,  and  thus  operational  descriptions  of  real-time  systems.  So  are  the  timed 
automata  of  [LA90],  which  specify  only  properties  that  are  safe  relative  to 
monotonic  divergence.  On  the  other  hand,  real-time  temporal  logics  such  as 
[AH89,  Koy90,  Ost90]  and  the  timed  automata  of  [AD90]  permit,  relative  to 
monotonic  divergence,  incongruous  specifications  of  real-time  systems.  A  ma¬ 
chine  trying  to  execute  such  a  specification  without  look-ahead  may  find  itself  in 
a  situation  from  which  time  cannot  advance  without  violating  the  specification. 
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